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PROOFS OF WORK AND BREAD PUDDING 
PROTOCOLS 

FIELD OF THE INVENTION 

This invention relates generally to proofs of work (POW), and, more particularly, 
to methods for harvesting a computational effort invested in a POW to accomplish a separate, 
useful and verifiably correct computation. 

BACKGROUND OF THE INVENTION 

Li many cryptographic protocols, a prover seeks to convince a verifier that he 
possesses knowledge of a secret or that a certain mathematical relationship holds true. For 
example, in the Schnorr identification protocol, the prover seeks to demonstrate possession of a 
secret key corresponding to a specific authenticated pubhc key. By contrast, in a POW, a prover 
demonstrates to a verifier that he has performed a certain amount of computational work in a 
specified interval of time. Although not defined as such or treated formally in the literature, 
POWs have served as the basis for a number of data security applications, including, 
benchmarking, server access metering, construction of digital time capsules, and protection 
against spamming and other denial-of-service attacks. A drawback to the use of POWs, 
however, is the fact that they impose a significant computational load in excess of that associated 
with many conventional cryptographic protocols. 

SUMMARY OF THE INVENTION 

A technical advance is achieved in the art by providing a method for a verifier to 
use a computational effort invested in a proof of work for a separate operation. 
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An exemplary method for using a computational effort invested in a proof of 
work (POW) includes: distributing a task among a plurality of entities; receiving a POW relating 
to said task from one of said plurality of entities; and using said POW to accomplish said task. 

An alternate method for using a computational effort invested in a proof of work 
(POW) includes: partitioning a minting operation into a plurality of sub-tasks; distributing one 
of said pluraHty of sub-tasks to one of a plurality of entities; receiving a POW from said one of 
said plurality of entities; and using said POW to accomplish said minting operation. 

Yet an alternate method for using a computational effort invested in a proof of 
work (POW) includes: distributing a minting operation among a plurality of entities in a manner 
that maintains privacy in said minting operation; receiving a POW relating to said minting 
operation from one of said pluraHty of entities; and using said POW to accomplish said minting 
operation. 

The bread pudding protocol of the present invention represents a novel use of 
proofs of work and is based on the same principle as the dish from which it takes its name, 
namely, that of reuse to minimize waste. Whereas the traditional bread pudding recipe recycles 
stale bread, a bread pudding protocol recycles the "stale" computations in a POW to perform a 
separate and useful operation, while also maintaining privacy in the operation. In one 
advantageous embodiment of a bread pudding protocol, we consider the computationally 
intensive operation of minting coins in the MicroMint scheme of Rivest and Shamir and 
demonstrate a novel minting approach by partitioning the minting operation into a collection of 
tasks, distributing the tasks among a large group of untrusted computational devices, and 
harvesting the computational effort invested in POWs relating to the tasks to perform the minting 
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operation. Thus, this approach requires httle or no capital investment in costly hardware on the 
part of the minter in order to accomplish the minting operation. 

Other and further aspects of the present invention will become apparent during the 
course of the following description and by reference to the attached drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIGS. lA - IC illustrate an exemplary architecture for practicing the bread 

pudding protocol of the present invention. 

FIG. 2 is a flowchart illustrating an advantageous embodiment of the bread 
pudding protocol of the present invention, 

FIG. 3 is a flowchart illustrating an alternate embodiment of the present invention. 

FIG. 4 is a flowchart illustrating yet another embodiment of the present invention. 

DETAILED DESCRIPTION 

FIGS. 1 A and IB illustrate an exemplary architecture for practicing an illustartive 
embodiment of the bread pudding protocol of the present invention. As shown in FIGS. lA and 
IB, the architecture comprises entities 1, 2 and 3 through n (all of which may be servers). 
Although entity 1 is illustrated in FIGS. 1 A and IB as being distinct from entity 2, in an alternate 
embodiment, entities 1 and 2 may be the same entity. To begin, with reference to FIG. lA, 
entity 1 has a computational task to perform. In furtherance of that task, entity 1 instructs entity 
2 to perform some computational work related to the task. Entity 2 will then out-source the work 
related to the task to each of entities 3 through n. Outsourcing may be accompUshed by dividing 
the work into components and assigning each entity 3 through n a different component. As 
shown in FIG. IB, as each entity 3 through n completes its component of work, each entity will 
respond with its reply. Each of the replies is a POW (referred to herein as "POWi"). Entity 2 

3 
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then complies the repUes into a response and transmits the response to entity 1 . This response is 
also a POW (referred to herein as "POW2"). Finally, entity 1 verifies the response. 

Rather than discarding the computation in POWu however, the computation can 
instead be used by entity 2 to convince entity 1 to accept its POW2. Thus, POWi is a bread 
pudding protocol for POW2. Similarly, entity 1 can use the computation performed in POW2 to 
aid in the successful completion of the task originally sought to be performed by entity 1, Thus, 
POW2 is also a bread pudding protocol 

Before we describe in greater detail the bread pudding protocols of the present 
invention, we first set forth the following definitions, which, although not intended to be 
limiting, enable us to characterize POWs and some of their associated properties (such as 
hardness, soundness, efficiency and independence), and permit us to illustrate how many of these 
properties are present in our bread pudding protocols. 

Like any other type of proof protocol, a POW may be either interactive or non- 
interactive. An interactive proof is a multi-round protocol executed by a prover P and a verifier 
V. In our consideration of POWs, we assume that both P and V may perform an arbitrary 
number of acts such as private coin flips during the protocol execution. At the end of the 
protocol, V decides either to accept or reject. If V accepts, then the protocol is successfiiL 
Otherwise, it has failed. A non-interactive proof involves only one round of commimication 
from the prover. Let Cv denote the private coin flips of V. In order to ensure the security of the 
proof, it is necessary to generate Cy in a manner that cannot be effectively controlled by the 
prover. By analogy with non-interactive proofs for standard cryptographic properties, we may 
accomplish this by reference to a public source of randomness or by some other appropriate 
means such as, e.g., generating cy using the hash of some protocol-specific value. Thus, in a 
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non-interactive proof protocol, the prover simulates a communication from the verifier, and then 
sends its transcript to the verifier. 

An important variant on these ideas is that of an implicit POW. An implicit POW 
is a type of non-interactive proof protocol in which verification is not performed by a verifier, 
but is determined by the ability of the prover to perform a given task. For example, a correct 
POW transcript can serve as a decryption key for some escrowed key or document. Thus, the 
power or any other party is capable of verifying a correct implicit POW without the active 
participation of the verifier. 

Let us assume in our definitions, for the sake of simplicity, that no 
communications latency is incurred in a POW. We define the start time tg of a POW execution 
to be the time at which the verifier initiates its first round of communication. The completion 
time tc is the time at which the last round of a POW execution is complete. The aim of a POW 
is to enable P to demonstrate that she has performed a certain amount of computation within the 
time interval [-tg, tj. Let poly denote any polynomial in a given variable. (We use the informal 
notation poly (x) to denote a polynomial in the variable x, and o(Z / poly(x)) to denote a quantity 
that is asymptotically smaller than the inverse of any polynomial in x.) Finally, let 1 be a security 
parameter. Finally, let us assume that the prover is permitted to perform an arbitrarily large 
amount of computation prior to the protocol execution. Thus, in fact, our definitions assume that 
the prover may perform computation over the time interval [-co, tc]. We characterize the 
hardness of a POW using the following two definitions, where probabilities are over the coin 
flips of both parties, and computational steps and memory resources are as measured in any 
suitable model Definition 1 provides the notion of a lower boxmd on POW hardness, while 
Definition 2 provides that of an upper bound. 
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Definition 1 We say that a proof of work POW is (w, p)-hard if the following is 
true. Suppose prover P with memory resources bounded by m performs an average, over all coin 
flips by P and V, of at most w steps of computation in the time interval [tg, tc]. Then the verifier 



V accepts with probability at most p+o 



where / is a security parameter. 



^poly(l), 

Definition 2 We say that a proof of work POW is (w, p, m)-feasible if there 
exists a prover P with memory resources bounded by m such that with an average of w steps of 
computation in the time interval [tg, tc], the prover can cause the verifier V to accept with 
probability at least p. This leads to the following definition. Note that it is possible to relax both 
this and the next definition to allow for, e.g., (w, / - e,poly(/))-feasibility where e is a quantity 
neghgible with respect to the security parameter /. For the sake of simphcity, we do not consider 
such definitional variants. 

Definition 3 We say that a proof of work POW is sound, if, for some w, POW is 
(w, / ,poly(/))-feasible, where / is a security parameter. 

A POW may be regarded as efficient if the verifier performs substantially less 
computation than the prover. We say that such proof has a larger "advantage", defined as 
follows. 

Definition 4 Let POW be a sound proof of work, and w be the minimum value 
such that POW is (w, / ,poly(/))-feasible, where / is a security parameter. Let z be the maximum 
amount of computation performed by the verifier on a correct transcript for POW. The 
advantage of POW is equal to w/z. 

Recall that one of the aims of our definitions is to consider whether it is possible 
for a prover to "cheat" somehow on batches of POWs. In particular, we consider whether it is 
possible for the prover to perform multiple, possibly interleaved proofs of work successfully with 
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less computation than that required for performing the POWs individually. This leads us to 
define the notion of independence on POWs. Our definition ensures that independent POWs are 
not vulnerable to prover cheating in the form of batch processing. 

Definition 5 Let POWi and POW2 be two proofs of work for which the 
respective coin flips of the verifier are generated independently. Let POW' be a proof of work 
constructed by combining (possibly interleaving) POWi and POW2. M other words, the verifier 
accepts for POW' if it accepts for POWi and for POW2. We say that POWi and POW2 are 
independent if the following is true. If POW' is (w,p,m)-feasible, then for some wi, W2, pu and 
P2 such that w = wi + W2 and p = pip2 + o(m/poly(0), where / is a security parameter, it is the 
case that POWi is (wi,pi,m)-feasible and POW2 is (w2,p2,ni)-feasible. 

Li order to make our definitions more concrete, we now present an example of a 
POW. This POW is very similar to that employed in several proposed security protocols. It is 
also similar to the basis of our bread pudding protocol for MicroMint, which will be discussed in 
detail hereinafter. This POW, which we call a partial inversion proof of work (PIPOW), requires 
two rounds: Let h: {0,1}^^ {0,1}^ represent a one-way fimction. The verifier V generates a 
random bitstring % of length / and computes the image y = h(x). Let x' be the first / - k bits of x, 
where k < /. V sends the pair (x',y) to P. In order to complete the POW successfully, P must 
calculate a valid pre-image x of y. It is easy to see that PIPOW is (w, / /(2^ - w), 0(/))-feasible 
for any integer w g [0,2^ - /]. In addition, PIPOW is (w,p)-hard for any integer w g [0,2^ - I] 
andp = //(2^-w). 

FIG. 2 is a flowchart illustrating one embodiment of the bread pudding protocol 
of the present invention. To begin with, entity 1 wants to compute a function f on an input g, 
where f defines the process to be evaluated and g defines the input parameters. In step 200, 
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entity 1 transmits the function f and input g to entity 2. In step 205, entity 2 (which, as 
previously mentioned, may be the same as entity 1) decides to outsource the work of computing 
the function f to one or more entities 3 through n. This may be accompUshed by subdividing the 
function f and input g into fu fi, ... fn-2 and gu g2 ... gn-2, respectively, and transmitting the pair 
(fi, gi) to entity 3, (f2, gj) to entity 4, . . . and (fn-2, gn-a) to entity n. Whether or not the function f 
is equal to ft, f2 ... fn-2 and/or whether or not the input g is equal to gi, g2 ... depends upon the 
function f and input g to be evaluated. 

In step 210, entity 3 returns its result of computing the function ft on input gi to 
entity 2. The value xi is the result and represents a POW (herein a "POWi"). Likewise, entities 
3 through n return the results of their computations, and these represent a POWi as well. It 
should be noted that not all of the entities may succeed. In other words, not all of the entities will 
have a result to return to entity 2. In any event, in step 215, entity 2 verifies replies xi through 
Xn-2. hi step 220, entity 2 compiles the replies into a response x. The response x, like each of the 
replies, also constitutes a POW (herein "POW2"). In step 225, entity 2 then transmits the 
response to entity 1. In step 230, entity 1 verifies the response by determining whether g = f(x). 

In accordance with an illustrative embodiment of the present invention, the 
computation in POWi may be used by entity 2 in steps 215 and 220 both to achieve a security 
goal vis-a-vis each entity 3 through n (such as restricting resource access, benchmarking, 
construction of digital time capsules, and protection against spamming and other denial-of- 
service attacks) and, in addition, to convince entity 1 to accept POW2. In step 235, entity 1 can 
similarly use POW2 both to achieve a similar security goal and to aid in the successful 
completion of the task it originally sought to perform - namely, computing the function f on an 
input g. As we shall see, one such task is the minting of coins in a MicroMint scheme. 
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The bread pudding protocol of the present invention is preferably performed in a 
manner such that knowing (fi, xi, gi) ... (fn-2? gn-2) or some portion thereof does not leak 
valuable information to the servers 3 ... n. This valuable information may be f, g, or some 
combination of these. One mechanism for maintaining privacy in such information is discussed 
in connection with our bread pudding protocol for MicroMint, and involves keying the function f 
with a secret value which prevents the provers jfrom steahng the result of the computation (in this 
case, the bits that are the coins) by copjdng the available information. 

With the foregoing in mind, we now present a definition which relates to the 
notion of a bread pudding protocol. Suppose that POWi is a (w,p)-hard proof of work. Let Pi 
denote the prover involved in this proof of work, and Vi the corresponding verifier. Suppose 
that Pi is also a verifier (denoted V2) in a proof of work POW25 for which the prover is denoted 
P2. We say that POW2, is a bread pudding protocol for POW] if the following is true. If Pi(=V2) 
accepts the transcript for POW2, then Pi can perform w-e computational steps over the duration 
of POWi for e > 0, and convince Vi to accept its transcript with probability at least p. 

hi this definition, we see that the computation that P2 performs in POW2 is 
recycled for use in POWi. hi a sense, we may regard POW2 as an oracle for POWi. A bread 
pudding protocol POW2 is one in which this oracle reduces the computational burden of prover 
Pi in the POWi. If POWi is an implicit bread pudding protocol, then POW2 may be viewed as 
helping to solve a computational problem, rather than aiding in successfiil completion of an 
interactive POW. Of course, trivially, if POW2 = POWi, then POW2 is a bread pudding protocol 
for POWi. hi order for POW2 to be of interest as a bread pudding protocol, it must be efficient, 
in the sense that e must be reasonably large. It preferably also has additional properties, such as 
robustness, or information hiding or divisibihty, i.e., the ability to generate independent copies 
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such that it is possible to derive useful work from multiple, independent provers. As we shall 
demonstrate, our bread pudding protocol for MicroMint has all of these. 

In another advantageous embodiment of the present invention, we consider the 
computationally intensive operation of minting coins in the MicroMint scheme developed by 
Rivest and Shamir ( See R.L. Rivest and A Shamir, "Payword and Micromint -Two Simple 
Micropayment Schemes", CryptoBytes, 2(1):7-11, Spring 1996). As will be discussed in detail 
hereinafter, in accordance with the present invention, the task of minting in the Rivest and 
Shamir scheme can be accomplished by partitioning the minting operation into a collection of 
tasks, distributing the tasks to a large group of untrusted computational devices, and harvesting 
the computational effort invested in POWs relating to the tasks to accomplish the minting 
operation. In addition, the POWs also can serve in their own right as mechanisms for security 
protocols, such as restricting resource access. 

A "coin" in the MicroMint scheme consists of a k-way hash function collision, 
that is to say, a set {X], X2, ... x^} of pre-images or "solutions" that map to a single image. 
Suppose that the hash function h used for minting maps /-bit pre-images to /-bit images. The 
process of finding collisions may be thought of as that of throwing balls uniformly at random 
into a set of 2^ bins. Throwing a ball corresponds in this model to choosing a pre-image x and 
placing it in the bin with index h(x). When k balls land in a single bin, they together constitute a 
coin. MicroMint's security is based on the hardness of finding hash function collisions. For 
forgery to be successful, it must take place on too large a scale to make the effort worthwhile. 

If / is to be large enough to ensure an adequate level of security, the storage 
overhead associated with maintaining 2^ bins will be prohibitively large. Rivest and Shamir thus 
describe the following variation on the basic scheme. Let / = / + w. A ball (pre-image) x is 
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considered valid only if the t least significant bits of h(x) match some pre-selected, random value 
5. (If invahd, the ball may be considered to miss the set of bins.) A valid ball is thrown into one 
of a set of T bins, according to the value of the u most significant bits of h(x). Although the 
computational effort associated with minting is still high, the number of bins is smaller. It is also 
possible in Rivest and Shamir's scheme to key the hash function h with a secret value r that is 
only released on the issue date to prevent a potential forger from initiating her effort prior to a 
given coin issue. 

FIG. 3 is a flowchart illustrating an advantageous embodiment of the present 
invention in a MicroMint setting. In step 300, entity 1 transmits the hash function h to be used in 
identifying colUsions to entity 2. hi step 305, entity 1 transmits input g to entity 2, where g 
comprises instructions to look within a pre-defined search space for "k" /-bit pre-images that 
hash to a range y of /-bit images whose "t" least significant bits have the value "s", where, for 
security purposes, / is very large. (As mentioned above, it is also possible to key the hash 
function h with a secret value r as a further deterrent against forgery, as will be illustrated in yet 
an alternate embodiment.) For ease of illustration, suppose entity 1 elects to map 4-bit pre- 
images to 4-bit images, and defines the values t and s as 2 and 00, respectively. In that case, there 
would be sixteen possible pre-images (i.e., a search space of sixteen) and four possible images 
whose 2 least significant bits are 00. The four possible images would correspond to the "bins" 
into which a valid pre-image or "ball" is "thrown" using hash function h. 

In step 310, entity 2 transmits the hash function h to entities 3 through n. In step 
315, entity 2 subdivides input g into gi, g2, ... gn-2, where each subdivision g„-2 defines a subset of 
the pre-image search space in which to look for values that hash to the range "y" of images 
whose "t" least significant bits have the value "s". Thus, each entity 3, 4, ... n, would be assigned 
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a different portion of the pre-image search space in which to search. For example, in a search 
space of sixteen 4-bit pre-images (once again, chosen for ease of illustration), entity 3 may be 
assigned pre-images 0000 through 0011 to search, entity 4 may be assigned 0100 through 0111, 
etc., until the entire pre-image search space has been assigned. In step 320, entity 2 transmits 
inputs gi through gn-2 to entities 3 through n, respectively. 

In step 325, entities 3, 4, ... n transmit repUes Xi, X2, ... Xn-2 to entity 2. Each of 
these replies comprises a POW. If entities 3 through n are successful (not all may succeed), each 
reply will be an /-bit pre-image that hashes to an /-bit image within the pre-defined range y or, in 
other words, to a valid ball. The /-bit pre-image is a POW (referred to herein as POWi). In step 
330, entity 2 verifies the replies xi through x^-a- In step 335, entity 2 compiles k rephes into a 
response x. The response x is also a POW (referred to herein as POW2). hi step 340, entity 2 
transmits the response to entity 1. In step 345, entity 1 verifies the response by determining 
whether y = f(x), or, in other words, by determining whether x hashes to an image within the 
specified range y. 

The computation in POWi may then be used by entity 2 in step 335 to achieve 
acceptance of POW2 by entity 1. Similarly, in step 350, entity 1 can use the computation 
performed in POW2 to aid in the successful completion of the task it originally sought to perform 
~ namely, finding k pre-image values that hash to the specified range for purposes of minting 
coins. In addition, as shown in steps 330 and 350, these POWs can also be used to achieve a 
separate security goal, such as restricting resource access. 

FIG. 4 illustrates yet another advantageous embodiment of the present invention. 
Once again, this embodiment is presented in the context of a bread pudding protocol for the 
MicroMint minting operation. As will be discussed in detail hereinafter, this bread pudding 
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protocol is robust and independent (as defined above), and, in addition, possesses information 
hiding properties. 

Let h be a suitable hash function and || denote string concatenation. In step 400, 
entity 1 randomly selects a secret value "r" specific to each coin to be minted and calculates h(r || 
i) to derive yi for i 1 to k. The value "i" is a counter used by the parties to identify a particular 
pre-image or "ball" (i.e., 1^ 2""^, ... k^^); where k balls constitute a coin, as will be described 
further hereinafter, hi one embodiment, the secret value "r" is augmented with a portion specific 
to the period of the coin's validity as an additional measure of security. Alternatively, the period 
of validity may simply be an additional value \i to be concatenated with the values r and i in 
deriving images yi. Li step 405, entity 1 transmits hash function h to entity 2 (if h is not a well- 
known hash function previously agreed to by the parties). In step 410, entity 1 instructs entity 2 
to find, for each yi, a pre-image value Xj, such that h(xi 1| yi) is equal to a target value "s". In our 
illustrative embodiment, entity 1 instructs entity 2 to find pre-image values where the "f least 
significant bits of h(xi 1| yO are equal to s. In this embodiment, the "bin" into which a ball is 
thrown is determined by the u most significant bits of h(xi || yO- 

In step 415, entity 2, in turn, transmits hash fimction h to entities 3, 4 ... n (if not 
already known by these entities). In step 420, entity 2 transmits all of the pairs (i, yi) together 
with pair (s, t) to entities 3, 4, ... n, and instructs them to find pre-image values such that the t 
least significant bits of h(xi || yi) are equal to s. Entity 2 also may instruct each entity 3,4, ... n to 
search for collisions in a different pre-image search space, thereby avoiding any overlap in effort. 
In step 425, entities 3 through n transmit replies Xi to entity 2. It may be the case that not all of 
these entities have rephes to return. For those that do, however, the rephes are in the form of a 
triple (i, Xi, yi). The replies are POWs, each of which requires an average computational effort of 
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2^'^ hashes for the prover. In fact, it may be seen that these are {w, 1 1 (l! - w), O (/))-feasible and 
also {w, / / (2^ - w))-hard POWs, in accordance with the definitions and example discussed in 
detail above. 

In step 430, entity 2 checks the validity of each ball. This involves a single hash 
to verify that the least significant t bits ofh{x^ \\ y\) are equal to s. In step 435, entity 2 compiles 
the rephes into a response and, in step 440, transmits the response to entity 1 . The response is 
also a POW. In step 445, entity 1 verifies the response using two hashes for each ball: one hash 
using the secret value r to verify that y, = h(r || /); and one hash to verify that the least significant 
t bits oih{x{ II yi) are equal to s. 

Once entity 1 has collected "k" valid balls (i.e., xi, X2, ... Xk), he is in possession 
of a coin (assuming entity 1 defined a coin as a "k"-way colhsion), and thus, has successfully 
shifted the burden of the minting operation onto a large group of untrusted computational devices 
by partitioning the minting operation into a collection of POWs. 

In accordance with the present invention, the computations in the POWs received 
fi-om entities 3 through "n" may be used by entity 2 in step 435 to convince entity 1 to accept its 
POW. Similarly, in step 445, entity 1 can use the computation performed in entity 2's POW to 
aid in the successfial completion of the task of finding the requisite number of pre-image values 
that hash to the specified range of images for the purpose of minting coins. In addition, as shown 
in steps 430 and 445, and previously mentioned, these POWs can also be used to achieve a 
separate security goal. 

It will be appreciated that the secret value r is not revealed in a POW. Thus, even 
when minting is performed by way of POWs, this secret value need only be released on the day 
of coin issue (so as to permit the pubHc to verify the validity of the coin). In particular, an 
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adversary sees only the valid balls that he himself computes or which he has access to through 
colluding parties. Unless he can collect the vast majority of valid balls, though, the minting 
operation remains infeasible for him. In particular, it is infeasible for him to obtain r and create 
new balls. Observe also, that the POWs in this scheme, assxmiing that h has random-oracle like 
properties, are independent. 

Rivest and Shamir propose sample parameters in their paper of A: = 4, / = 52, and 
/ = 21 for achieving a viable minting setup. Thus, the POW based on finding a valid ball 
requires an average of 2^^ hash operations for the prover. This is, as it happens, exactly the 
hardness of the POW proposed in E. Gabber et al., "Curbing Junk E-mail Via Secure 
Classification", Financial Cryptography '98, Spinger-Verlag, 1998, requiring about 2 seconds on 
a 266 MHz Pentium II processor under the hash function MD5. If the minter offloads the 
problem of finding vahd balls onto clients, then his own computational effort is equal to at most 
two hashes per ball: two for verification, of which one determines which bin a given ball 
belongs in. Given the number A:2" = 2^^ of balls suggested by the heuristic calculations in the 
Rivest and Shamir paper, the minter would thus have to perform 2^^ hash function computations. 
This can be computed in well less than a day on a standard workstation with sufficient available 
memory. Without outsourcing the minting operation, the minter would be forced to perform 
roughly 2^^ hash function computations on average. 

Altogether, a set of 2^^ POWs requiring an average of 2 seconds of computation 
apiece represents a substantial amount of computation to offload onto clients. With one million 
chents, for instance, it would be necessary for each cUent to perform almost five hours of 
computation to complete the solution of all POWs. In many cases ~ as when clients can perform 
computation overnight using idle cycles — this is reasonable. Nonetheless, in some scenarios, as 
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when clients are very low power devices, it may be desirable to make the POWs somewhat 
easier. We can do this as follows. Let us require that z in a valid ball have v leading "0" bits, 
and that only the first t - v bits in h{x || z) be equal to a value s. Now a POW requires only 2^~^~^ 
hash computations on average for a client. A POW, of course, is harder for the minter in this 
case: the minter effectively compensates for the reduced computational burden on cUents by 
performing substantially more computation itself. The memory requirements in this variant of 
our scheme, however, are unchanged. 

It will be evident to those skilled in the art that variants are possible on the basic 
distributed MicroMint scheme disclosed herein that rely on different cryptographic primitives. 
For example, a coin might consist of an RSA or Rabin- Williams digital signature. These digital 
signatures are well-known in the art. A portion of the task of generating the signature might then 
be distributed in a securely blinded fashion to one or more potentially untrusted entities. One 
mechanism of accomplishing this blind distribution in order to generate a signature on a message 
m in a pubhc modulus n would be to have the one or more untrusted entities compute m^ for a 
range of fixed exponents k. The minter could then combine these to produce a signature on m 
with substantially less work than would be required to produce the signature independently. 

Given the present disclosure, it will be understood by those of ordinary skill in the 
art that the above-described bread pudding protocol of the present invention may be readily 
implemented using one or more computer processors in communication with one or more 
memory devices having embodied therein stored programs for performing the method of the 
present invention. 
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The many features and advantages of the present invention are apparent from the 
detailed specification, and thus, it is intended by the appended claims to cover all such features 
and advantages of the invention which fall within the true spirit and scope of the invention. 

Furthermore, since numerous modifications and variations such as the one 
described above will readily occur to those skilled in the art, it is not desired that the present 
invention be limited to the exact construction and operation illustrated and described herein, and 
accordingly, all suitable modifications and equivalents which may be resorted to are intended to 
fall within the scope of the claims. 
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CLAIMS 

We claim: 

1 . A method of using a computational effort invested in a proof of work 
(POW), comprising: distributing a task among a plurality of entities; receiving a POW relating 
to said task from one of said plurality of entities; and using said POW to accomplish said task. 

2. The method of claim 1 further comprising using said POW to accomplish 

a security goal. 

3. The method of claim 1 wherein distributing said task among a pluraHty of 
entities includes partitioning said task into a plurahty of sub-tasks and distributing each one of 
said plurality of sub-tasks to a respective one of said plurality of entities. 

4. The method of claim 1 wherein said security goal involves restricting 
resource access by said one of said plurality of entities. 

5. A method of using a computational effort invested in a proof of work 
(POW), comprising: partitioning a minting operation into a pluraHty of sub-tasks; distributing 
one of said plurality of sub-tasks to one of a pluraHty of entities; receiving a POW from said one 
of said plurality of entities; and using said POW to accomplish said minting operation. 

6. The method of claim 5 ftirther comprising using said POW to accomplish 

a security goal. 

7. The method of claim 5 wherein said minting operation includes 
identifying vaHd solutions that hash to a predetermined image and wherein said POW represents 
a vaHd solution. 
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8. The method of claim 6 wherein said predetermined image comprises a 
range of images. 

9. The method of claim 8 wherein all images within said range of images 
have a predetermined number of least significant bits in common. 

10. The method of claim 5 wherein each of said sub-tasks comprises searching 
a different solution search space for valid solutions. 

1 1 . The method of claim 6 wherein said security goal involves restricting 
resource access. 

12. The method of claim 7 further comprising verifying said valid solution by 
determining whether said vaUd solution represented by said POW hashes to said predetermined 
image. 

13. A method of using a computational effort invested in a proof of work 
(POW) comprising: distributing a minting operation among a plurality of entities in a manner 
that maintains privacy in said minting operation; receiving a POW from said one of said plurality 
of entities relating to said minting operation; and using said POW to accomplish said minting 
operation. 

14. The method of claim 13 further comprising using said POW to accomplish 

a security goal. 

15. The method of claim 13 wherein said minting operation comprises using a 
hash function to identify a predetermined nimiber of valid solutions that hash to a target value 
and wherein said POW represents a valid solution. 
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16. The method of claim 15 wherein said predetermined number of valid 
solutions comprise a coin. 

17. The method of claim 15 wherein said predetermined number of valid 
solutions hash to a portion of said target value. 

18. The method of claim 13 wherein said distributing includes instructing each 
of said plurality of entities to search within a different search space for valid solutions. 

19. The method of claim 15 wherein said privacy is maintained in said 
minting operation by keying said hash function with a secret value. 

20. The method of claim 19 wherein said secret value includes a portion 
specific to a coin. 

21. The method of claim 20 wherein said secret value includes a portion 
specific to a period of said coin's validity. 

22. The method of claim 19 wherein said hash is of a concatenation of a 
solution and a value generated using said secret value. 

23. The method of claim 13 further comprising verifying said POW. 
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ABSTRACT 

The bread pudding protocol of the present invention represents a novel use of 
proofs of work and is based upon the same principle as the dish from which it takes its name, 
namely, that of reuse to minimize waste. Whereas the traditional bread pudding recipe recycles 
stale bread, our bread pudding protocol recycles the "stale" computations in a POW to perform a 
separate and useful task, while also maintaining privacy in the task. In one advantageous 
embodiment of our bread pudding protocol, we consider the computationally intensive operation 
of minting coins in the MicroMint scheme of Rivest and Shamir and demonstrate how the 
minting operation can be partitioned into a collection of POWs, which are then used to shift the 
burden of the minting operation onto a large group of untrusted computational devices. Thus, in 
accordance with one illustrative embodiment of the present invention, the computational effort 
invested in the POWs are recycled to accomplish the minting operation. 
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Entity 1 who wants to compute a 
function f on an input g transmits f 
and g to entity 2. 



Entity 2 outsources the work of 
computing f on input g to one or 
more entities 3 thru n. 



Entities 3 thru n perform work as 
instructed and return rephes thru 
_2 to entity 2, where repUes are 
POWs. 



Entity 2 verifies replies thru 
x^ _2 and uses rephes to achieve 
security goals. 



Entity 2 also compiles replies into a 

response x, where response x is a 
POW, and thus, uses computations in 
replies to convince entity 1 to accept 
response x. 



Entity 2 transmits response x to entity 1 



Entity 1 verifies response x. 



Entity 1 uses computations in 
response x to achieve a security goal 
and to aid in the completion of 
computing function f on input g. 
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Entity 1 transmits hash function h to entity 2. 



Entity 1 transmits g to entity 2, where g is an instruction to look 
within a predefined search space for "k" /-bit pre-images that 
hash to a range "y" of /-bit images whose t least significant bits 

have a value s 



Entity 2 transmits hash function h to entities 3 thru n. 



Entity 2 subdivides input g into gj thru g^.2, where each 
subdivision defines a different portion of the search space in 
which to look for valid images. 



Entity 2 transmits g^ thru g^_2 to entities 3 thru n, respectively. 



Entities 3 thru n perform work as instructed and return rephes 
thru x^_2, respectively, to entity 2, where repUes are POWs. 



i 



Entity 2 verifies replies thru x„ .2 ^^^^ replies to achieve 

security goals. 



Entity 2 compiles replies into a response x, where response x is a 
POW, and thus, uses computations in replies to convince entity 1 
to accept response x. 



i 



Entity 2 transmits response x to entity 1 . 




r 


Entity 1 verifies response x. 







Entity 1 uses computations in response x to achieve a security 
goal and to aid in minting coins 
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FIG. 3 



Entity 1 randomly selects secret value r and calculates 
li(r II i) to derive y- for i=l to k. 



Entity 1 transmits hash function h to entity 2. 



Entity 1 instructs entity 2 to find, for each y^, a 
pre-image such that the "t" least significant bits 
of h(Xj||yj) are equal to s. 



Entity 2 transmits hash function h to entities 3 thru n. 



1 



Entity 2 transmits all the pairs (i, y^) together with pair (s, 
t) to entities 3 thru n and instructs them to find pre-images 
such that the t least significant bits of image h(x^||y|) are 
equal to s. 



Entities 3 thru n perform work as instructed and transmit 
replies x- to entity 2, where replies are POWs. 



1 



Entity 2 verifies replies Xj and uses replies to achieve 
security goals. 



Entity 2 compiles replies into a response x, where 
response x is a POW, and thus, uses replies to convince 
entity 1 to accept response x. 



Entity 2 transmits response x to entity 1 . 



Entity 1 verifies the response x and uses response x to 
accompUsh both a security goal and a minting operation. 
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IN THE UNITED STATES 
PATENT AND TRADEMARK OFFICE 

Declaration and Power of Attorney 
As the below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to 
my name. 

I believe I am the original, first and joint inventor of the subject matter which is 
claimed and for which a patent is sought on the invention entitled PROOFS OF 
WORK AND BREAD PUDDING PROTOCOLS the specification of which is 
attached hereto. 

I hereby state that I have reviewed and understand the contents of the above 
identified specification, including the claims, as amended by an amendment, if any, 
specifically referred to in this oath or declaration. 

I acknowledge the duty to disclose all information known to me which is 
material to patentability as defined in Title 37, Code of Federal Regulations, 1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, 
119 of any foreign application(s) for patent or inventor's certificate listed below and 
have also identified below any foreign application for patent or inventor's certificate 
having a filing date before that of the application on which priority is claimed: 

None 

I hereby claim the benefit under Title 35, United States Code, 120 of any 
United States application(s) listed below and, insofar as the subject matter of each 
of the claims of this application is not disclosed In the prior United States application 
in the manner provided by the first paragraph of Title 35, United States Code, 112,1 
acknowledge the duty to disclose all information known to me to be material to 
patentability as defined in Title 37, Code of Federal Regulations, 1 .56 which became 
available between the filing date of the prior application and the national or PCT 
International filing date of this application: 

None 

I hereby declare that all statements made herein of my own knowledge are 
true and that all statements made on information and belief are believed to be true; 
and further that these statements were made with the knowledge that willful false 
statements and the like so made are punishable by fine or Imprisonment, or both, 
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under Section 1001 of Title 18 of the United States Code and that such willful false 
statements may jeopardize the validity of the application or any patent issued 
thereon. 



I hereby appoint the following attorney(s) with full power of substitution and 
revocation, to prosecute said application, to make alterations and amendments 

therein, to receive the patent, and to transact all business in the Patent and 
Trademark Office connected therewith: 

Lester H. Birnbaum (Reg. No. 25830) 

Richard J. Botos (Reg. No. 32016) 

Jeffery J. Brosemer (Reg. No. 36096) 

Kenneth M. Brown (Reg. No. 37590) 

Craig J. Cox (Reg. No. 39643) 

Donald P. Dinella (Reg. No. 39961) 

Guy Eriksen (Reg. No. 41 736) 

Martin I. Finston (Reg. No. 31613) 

James H. Fox (Reg. No. 29379) 

William S. Francos (Reg. No. 38456) 

Barry H. Freedman (Reg. No. 26166) 

Julio A. Garceran (Reg. No. 37138) 

Mony R. Ghose (Reg. No. 38159) 

Jimmy Goo (Reg. No. 36528) 

Anthony Grille (Reg. No. 36535) 

Stephen M. Gurey (Reg. No. 27336) 

John M. Herman (Reg. No. 38173) 

Michael B. Johannesen (Reg. No. 35557) 

Mark A. Kurisko (Reg. No. 38944) 

irena Lager (Reg. No. 39260) 

Christopher N. Malvone (Reg. No. 34866) 

Scott W. McLellan (Reg. No. 30776) 

Martin G. Meder (Reg. No. 34674) 

John C. Moran (Reg. No. 30782) 

Michael A. Morra (Reg. No. 28975) 

Gregory J. Murgia (Reg. No. 41209) 

Claude R. Narcisse (Reg. No. 38979) 

Joseph J. Opalach (Reg. No. 36229) 

Neil R. Ormos (Reg. No. 35309) 

Eugen E. Pacher (Reg. No. 29964) 

Jack R. Penrod (Reg. No. 31 864) 

Daniel J. Piotrowski (Reg. No. 42079) 
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Gregory C. Ranieri (Reg. No. 29695) 

Scott J. Rittman (Reg. No. 3901 0) 

Eugene J. Rosenthal (Reg. No. 36658) 

Bruce S. Schneider (Reg. No. 27949) 

Ronald D. Siusky (Reg. No. 26585) 

David L. Smith (Reg. No. 30592) 

Patricia A. Verlangieri (Reg. No. 42201) 

John P. VeschI (Reg. No. 39058) 

David Volejnicek (Reg. No. 29355) 

Charles L. Warren (Reg. No. 27407) 

Jeffrey M. Weinick (Reg. No. 36304) 

Eli Weiss (Reg. No. 17765) 

I hereby appoint the attorney(s) on ATTACHMENT A as associate attorney(s) 
in the aforementioned application, with full power solely to prosecute said 
application, to make alterations and amendments therein, to receive the patent, and 
to transact all business in the Patent and Trademark Office connected with the 
prosecution of said application. No other powers are granted to such associate 
attorney(s) and such associate attorney(s) are specifically denied any power of 
substitution or revocation. 

Full name of 1st joint inventor: BJorn Markus Jakobsson 
Inventor's 

signature . __Date 



Residence: 1203 Garden Street, Hoboken, NJ 07030 USA 

Citizenship: Sweden 

Post Office Address: Same as residence 

Full name of 2nd joint inventor: Ari Juels 

XnTre /^<i^^ Date>l ^i^fO 

Residence: I^Freeman Street, Apt. 3, Brookline, MA 02446 USA 

Citizenship: United States 

Post Office Address: Same as residence 
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ATTACHMENT A 

Attorney Name(s): Christopher A. Hughes Reg. No.: 26.914 

Peter N. Fill Reg. No.: 38.876 

Telephone calls should be made to Morgan & Finnegan at: 
Phone No.: (212) 758-4800 
Fax No.: (212) 751-6849 



All written communications are to be addressed to: 

Morgan & Finnegan, L.L.P. 
345 Park Avenue 
New York, New York 10154-0053 
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IN THE UNITED STATES 
PATENT AND TRADEMARK OFFICE 

Declaration and Power of Attorney 

As the below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to 
my name. 

I believe I am the original, first and joint inventor of the subject matter which is 
claimed and for which a patent is sought on the invention entitled PROOFS OF 
WORK AND BREAD PUDDING PROTOCOLS the specification of which is 
attached hereto. 

I hereby state that I have reviewed and understand the contents of the above 
identified specification, including the claims, as amended by an amendment, if any, 
specifically referred to in this oath or declaration. 

I acknowledge the duty to disclose all information known to me which is 
material to patentability as defined in Title 37, Code of Federal Regulations, 1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, 
119 of any foreign application(s) for patent or inventor's certificate listed below and 
have also identified below any foreign application for patent or inventor's certificate 
having a filing date before that of the application on which priority is claimed: 

None 

I hereby claim the benefit under Title 35, United States Code, 120 of any 
United States application(s) listed below and, insofar as the subject matter of each 
of the claims of this application is not disclosed in the prior United States application 
in the manner provided by the first paragraph of Title 35, United States Code, 1 12, I 
acknowledge the duty to disclose ail information known to me to be material to 
patentability as defined in Title 37, Code of Federal Regulations, 1.56 which became 
available between the filing date of the prior application and the national or PCT 
international filing date of this application: 

None 

1 hereby declare that all statements made herein of my own knowledge are 
true and that all statements made on information and belief are believed to be true; 
and further that these statements were made with the knowledge that willful false 
statements and the like so made are punishable by fine or imprisonment, or both, 
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under Section 1001 of Title 18 of the United States Code and that such willful false 
statements may jeopardize the validity of the application or any patent issued 
thereon. 

I hereby appoint the following attorney(s) with full power of substitution and 
revocation, to prosecute said application, to make alterations and amendments 
therein, to receive the patent, and to transact all business in the Patent and 
Trademark Office connected therewith: 

Lester H. Birnbaum 
Richard J. Botes 
Jeffery J. Brosemer 
Kenneth M. Brown 
Craig J. Cox 
Donald P. Dinella 
Guy Eriksen 
Martin I. Finston 
James H. Fox 
William S. Francos 
Barry H. Freedman 
Julio A. Garceran 
Mony R. Ghose 
Jimmy Goo 
Anthony Grille 
Stephen M. Gurey 
John M. Harman 
Michael B. Johannesen 
Mark A. Kurisko 
Irena Lager 

Christopher N. Malvone 
Scott W. McLellan 
Martin G. Meder 
John C. Moran 
Michael A. Morra 
Gregory J. Murgia 
Claude R. Narcisse 
Joseph J. Opalach 
Neil R. Ormos 
Eugen E. Pacher 
Jack R. Penrod 
Daniel J. Piotrowski 



(Reg. No. 25830) 
(Reg. No. 32016) 
(Reg. No. 36096) 
(Reg. No. 37590) 
(Reg. No. 39643) 
(Reg. No. 39961) 
(Reg. No. 41736) 
(Reg. No. 31613) 
(Reg. No. 29379) 
(Reg. No. 38456) 
(Reg. No. 26166) 
(Reg. No. 37138) 
(Reg. No. 38159) 
(Reg. No. 36528) 
(Reg. No. 36535) 
(Reg. No. 27336) 
(Reg. No. 38173) 
(Reg. No. 35557) 
(Reg. No. 38944) 
(Reg. No. 39260) 
(Reg. No. 34866) 
(Reg. No. 30776) 
(Reg. No. 34674) 
(Reg. No. 30782) 
(Reg. No. 28975) 
(Reg. No. 41209) 
(Reg. No. 38979) 
(Reg. No. 36229) 
(Reg. No. 35309) 
(Reg. No. 29964) 
(Reg. No. 31864) 
(Reg. No. 42079) 



551601 1 



JAKOBSSON 19-3 



Gregory C. Ranieri (Reg. No. 29695) 

Scott J. Rittman (Reg. No. 3901 0) 

Eugene J. Rosenthal (Reg. No. 36658) 

Bruce S. Schneider (Reg. No. 27949) 

Ronald D. Slusky (Reg. No. 26585) 

David L. Smith (Reg. No. 30592) 

Patricia A. Veriangieri (Reg. No. 42201) 

John P. Veschi (Reg. No. 39058) 

David Volejnicek (Reg. No. 29355) 

Charles L Warren (Reg. No. 27407) 

Jeffrey M. Weinick (Reg. No. 36304) 

Ell Weiss (Reg. No. 17765) 

I hereby appoint the attorney(s) on ATTACHMENT A as associate attomey(s) 
in the aforementioned application, with full power solely to prosecute said 
application, to make alterations and amendments therein, to receive the patent, and 
to transact all business In the Patent and Trademark Office connected with the 
prosecution of said application. No other powers are granted to such associate 
attorney(s) and such associate attorney(s) are specifically denied any power of 
substitution or revocation. 



Full name af Istioint Inventor: Bjorn Markus Jakobsson 



Inventor's 
signature_ 




Residence: 1203 Garden Street, Hoboken, NJ 07030 USA 



Date:4A^_J^l_L2.o 



Citizenship: Sweden 

Post Office Address: Same as residence 

Full name of 2nd joint inventor: Ari Juels 

Inventor's 

signature 



Date 



Residence: 131 Freeman Street, Apt. 3, Brookline, MA 02446 USA 

Citizenship: United States 

Post Office Address: Same as residence 
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ATTACHMENT A 

Attorney Name(s): Christopher A. Hughes Reg. No.: 26,914 

Peter N. Fill Reg. No.: 38,876 

Telephone calls should be made to Morgan & Finnegan at: 
Phone No.: (212^ 758-4800 
Fax No.: ^212^ 751-6849 

All written communications are to be addressed to: 

Morgan & Finnegan, LLP. 
345 Park Avenue 
New York, New York 1 01 54-0053 
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